Sensu role-based access control (RBAC) helps different teams and projects share a Sensu instance.
RBAC allows management and access of users and resources based on namespaces, groups, roles, and bindings.

Namespaces partition resources within Sensu. Sensu entities, checks, handlers, and other namespaced resources belong to a single namespace.

Namespaces

Namespaces help teams use different resources (entities, checks, handlers, etc.) within Sensu and impose their own controls on those resources.
A Sensu instance can have multiple namespaces, each with their own set of managed resources.
Resource names need to be unique within a namespace, but not across namespaces.

Special resource types

All resources within Sensu. The * type takes precedence over other rules within the same role. If you wish to deny a certain type, you can’t use the * type and must explicitly allow every type required. When applied to a role, the * type applies only to namespaced resource types. When applied to a cluster role, the * type applies to both namespaced resource types and cluster-wide resource types.

Users

A user represents a person or an agent which interacts with Sensu.
Users and groups can be assigned one or more roles and inherit all permissions from each role assigned to them.

Viewing users

You can use sensuctl to see a list of all users within Sensu.
The following example returns a list of users in yaml format for use with sensuctl create.

sensuctl user list --format yaml

Creating a user

You can use sensuctl to create a user.
For example, the following command creates a user with the username alice, creates a password, and assigns the user to the ops and dev groups.
Passwords must have at least eight characters.

Groups

A group is a set of users within Sensu.
Groups can be assigned one or more roles and inherit all permissions from each role assigned to them.
Users can be assigned to one or more groups.
Groups are not a resource type within Sensu; you can create and manage groups only within user definitions.

Default group

Sensu includes a default cluster-admins group that contains the default admin user and a system:agents group used internally by Sensu agents.

Assigning a user to a group

Groups are created and managed within user definitions.
You can use sensuctl to add users to groups.

Removing a user from a group

Roles and cluster roles

A role is a set of permissions controlling access to Sensu resources.
Roles specify permissions for resources within a namespace while cluster roles can include permissions for cluster-wide resources.
You can use role bindings to assign roles to user and groups.
To avoid re-creating commonly used roles in each namespace, create a cluster role and use a role binding (not a cluster role binding) to restrict permissions within a specific namespace.

Cluster roles

Cluster roles can specify access permissions for cluster-wide resources like users and namespaces as well as namespaced resources like checks and handlers. They can also be used to grant access to namespaced resources across all namespaces (needed to run sensuctl check list --all-namespaces, for example) when used in conjunction with cluster role bindings.
Cluster roles use the same specification as roles and can be managed using the same sensuctl commands with cluster-role substituted for role.

Once you’ve create the role, create a role binding (or cluster role binding) to assign the role to users and groups.
For example, to assign the prod-admin role created above to the oncall group, create the following role binding.

Cluster role bindings

Cluster role bindings can assign a cluster role to users and groups.
Cluster role bindings use the same specification as role bindings and can be managed using the same sensuctl commands with cluster-role-binding substituted for role-binding.

Managing role bindings

You can use sensuctl to see a list, create, and delete role bindings and cluster role bindings.
To use any of these commands with cluster roles, substitute the cluster-role-binding command for the role-binding command.

To delete a role binding:

sensuctl role-binding delete [ROLE-NAME]

To get help managing role bindings with sensuctl:

sensuctl role-binding help

Role binding and cluster role binding specification

roleRef

description

References a role in the current namespace or a cluster role.

required

true

type

Hash

example

"roleRef": {"type": "Role",
"name": "event-reader"}

subjects

description

The users or groups being assigned.

required

true

type

Array

example

"subjects": [{"type": "User",
"name": "alice"}]

roleRef specification

type

description

Role for a role binding or ClusterRole for a cluster role binding.

required

true

type

String

example

"type": "Role"

name

description

The name of the role or cluster role being assigned.

required

true

type

String

example

"name": "event-reader"

subjects specification

type

description

User for assigning a user or Group for assigning a group.

required

true

type

String

example

"type": "User"

name

description

Username or group name.

required

true

type

String

example

"name": "alice"

Role binding example

The following examples are in yml and wrapped-json formats for use with sensuctl create.

Assigning user permissions within a namespace

For example, the following configuration creates a user alice, a role default-admin, and a role binding alice-default-admin, giving alice full permissions for namespaced resource types within the default namespace.
You can add these resources to Sensu using sensuctl create.

Assigning group permissions within a namespace

For example, the following configuration creates a user alice assigned to the group ops, a role default-admin, and a role binding ops-default-admin, giving the ops group full permissions for namespaced resource types within the default namespace.
You can add these resources to Sensu using sensuctl create.

Assigning group permissions across all namespaces

For example, the following configuration creates a user alice assigned to the group ops, a cluster role default-admin, and a cluster role binding ops-default-admin, giving the ops group full permissions for namespaced resource types and cluster-wide resource types across all namespaces.
You can add these resources to Sensu using sensuctl create.

About Sensu

The Sensu monitoring event pipeline empowers businesses to automate their monitoring workflows and gain deep visibility into their multi-cloud infrastructure, from Kubernetes to bare metal. Companies like Sony, Box.com, and Activision rely on Sensu to help deliver value faster, at scale.